



<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>SECRET_KEY published &mdash; Python Anti-Patterns  documentation</title>
  

  
  

  

  
  
    

  

  
  
    <link rel="stylesheet" href="../../../_static/css/theme.css" type="text/css" />
  

  
    <link rel="stylesheet" href="../../../_static/css/ribbon.css" type="text/css" />
  
    <link rel="stylesheet" href="../../../_static/css/font-awesome-4.1.0/css/font-awesome.min.css" type="text/css" />
  
    <link rel="stylesheet" href="../../../_static/css/menu.css" type="text/css" />
  
        <link rel="index" title="Index"
              href="../../../genindex.html"/>
        <link rel="search" title="Search" href="../../../search.html"/>
    <link rel="top" title="Python Anti-Patterns  documentation" href="../../../index.html"/>
        <link rel="up" title="Security" href="index.html"/>
        <link rel="next" title="Same value for MEDIA_ROOT and STATIC_ROOT" href="same_value_for_media_root_and_static_root.html"/>
        <link rel="prev" title="ALLOWED_HOSTS setting missing" href="allowed_hosts_setting_missing.html"/> 

</head>

<body class="wy-body-for-nav" role="document">

  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-nav-search">
        <a href="../../../index.html"> Python Anti-Patterns</a>
        <div role="search">
  <form id ="rtd-search-form" class="wy-form" action="../../../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>
      </div>


      <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
        
        
            <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../correctness/index.html"><i class="fa fa-check"></i> Correctness</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../maintainability/index.html"><i class="fa fa-puzzle-piece"></i> Maintainability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../readability/index.html"><i class="fa fa-eye"></i> Readability</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/index.html"><i class="fa fa-lock"></i> Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../performance/index.html"><i class="fa fa-dashboard"></i> Performance</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../index.html"><i class="fa fa-book"></i> Django</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../maintainability/index.html"><i class="fa fa-puzzle-piece"></i> Maintainability</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html"><i class="fa fa-lock"></i> Security</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="allowed_hosts_setting_missing.html">ALLOWED_HOSTS setting missing</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">SECRET_KEY published</a></li>
<li class="toctree-l3"><a class="reference internal" href="same_value_for_media_root_and_static_root.html">Same value for MEDIA_ROOT and STATIC_ROOT</a></li>
<li class="toctree-l3"><a class="reference internal" href="same_value_for_media_url_and_static_url.html">Same value for MEDIA_URL and STATIC_URL</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../correctness/index.html"><i class="fa fa-check"></i> Correctness</a></li>
<li class="toctree-l2"><a class="reference internal" href="../performance/index.html"><i class="fa fa-dashboard"></i> Performance</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../1.8/migration/index.html"><i class="fa fa-magic"></i> Migration to 1.8</a></li>
</ul>
</li>
</ul>

        
      </div>
      &nbsp;

    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="../../../index.html">Python Anti-Patterns</a>
      </nav>


      
      <div class="wy-nav-content" id="signup-box" >
        <div class="rst-content">
          <div class="navigation" role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
    <li><a href="../../../index.html">Documentation</a> &raquo;</li>
      
          <li><a href="../../index.html"><i class="fa fa-book"></i> Django</a> &raquo;</li>
      
          <li><a href="index.html"><i class="fa fa-lock"></i> Security</a> &raquo;</li>
      
    <li>SECRET_KEY published</li>
      <li class="wy-breadcrumbs-aside">
        
          <a href="../../../_sources/django/all/security/django_secrect_key_published.rst.txt" rel="nofollow"> View page source</a>
        
      </li>
  </ul>
  <hr/>
</div>

          <div role="main">
            
  <div class="section" id="secret-key-published">
<h1>SECRET_KEY published<a class="headerlink" href="#secret-key-published" title="Permalink to this headline">¶</a></h1>
<p>A secret key has to be be kept secret. Make sure it is only used in production, but nowhere else. Especially, avoid committing it to source control. This increases security and makes it less likely that an attacker may acquire the key.</p>
<div class="section" id="anti-pattern">
<h2>Anti-pattern<a class="headerlink" href="#anti-pattern" title="Permalink to this headline">¶</a></h2>
<p>This settings.py contains a SECRET_KEY. You should not do this!</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="sd">&quot;&quot;&quot; settings.py &quot;&quot;&quot;</span>
<span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="s1">&#39;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz&#39;</span>
</pre></div>
</div>
</div>
<div class="section" id="better-practices">
<h2>Better Practices<a class="headerlink" href="#better-practices" title="Permalink to this headline">¶</a></h2>
<div class="section" id="load-key-from-environment-variable">
<h3>Load key from environment variable<a class="headerlink" href="#load-key-from-environment-variable" title="Permalink to this headline">¶</a></h3>
<p>Instead of publishing your secret key, you can use an environment variable to set your secret key.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">os</span>
<span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">environ</span><span class="p">[</span><span class="s1">&#39;SECRET_KEY&#39;</span><span class="p">]</span>
</pre></div>
</div>
</div>
<div class="section" id="load-secret-key-from-file">
<h3>Load secret key from file<a class="headerlink" href="#load-secret-key-from-file" title="Permalink to this headline">¶</a></h3>
<p>Alternatively, you can read the secret key from a file.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;/etc/secret_key.txt&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
    <span class="n">SECRET_KEY</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="references">
<h2>References<a class="headerlink" href="#references" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li><p><a class="reference external" href="https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/">Django</a></p></li>
</ul>
</div>
</div>


          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="same_value_for_media_root_and_static_root.html" class="btn btn-neutral float-right" title="Same value for MEDIA_ROOT and STATIC_ROOT"/>Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="allowed_hosts_setting_missing.html" class="btn btn-neutral" title="ALLOWED_HOSTS setting missing"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
    </p>
  </div>

    <!--End mc_embed_signup-->
  <a href="https://github.com/snide/sphinx_rtd_theme">Sphinx theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a> - Last updated: Sep 29, 2020 
</footer>
        </div>
      </div>

    </section>


  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'../../../',
            VERSION:'',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  true
        };
    </script>
      <script type="text/javascript" src="../../../_static/jquery.js"></script>
      <script type="text/javascript" src="../../../_static/underscore.js"></script>
      <script type="text/javascript" src="../../../_static/doctools.js"></script>
      <script type="text/javascript" src="../../../_static/language_data.js"></script>

  

  
  
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>
  

  
  
  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.StickyNav.enable();
      });
  </script>
   

  <!-- Place this tag right after the last button or just before your close body tag. -->
  <script async defer id="github-bjs" src="https://buttons.github.io/buttons.js"></script>

</body>
</html>